How will GDPR affect recorded calls?

Posted on 16th April 2018 under Blog.

In May 2018, new data protection laws will come into force across Europe. It will become a legal requirement to request an individual’s consent in order for companies to process, store and use their personal information.

GDPR aims to give people more control over how businesses use their data and introduced substantial penalties for organisations that fail to comply with the rules, and for those that occur data breaches.

Why are there call recording requirements?

Call recording is classified as a form of data processing. Currently, call recording in the UK follows legal requirements as defined in the Data Protection Act 1998. This is because recorded calls can capture:

  • Personally identifiable information, such as names and addresses
  • Sensitive personal information, such as banking details, medical records, family details, and religious beliefs

Depending on how a recorded call is going to be used, the current law requires businesses to inform the individuals concerned that this data is going to be captured. Consent is assumed as long as a person is informed about the recording and given the choice to opt out. It is also a requirement that phone call recordings should be stored securely with appropriate steps taken to avoid breaches.

What’s changing?

The main difference with the GDPR will be that it strengthens the rights of the individual over the rights of a business.

The change that companies will need to prepare for is the requirement to actively justify the capture of conversations and the processing of personal information.

There are rules on what you can record and what you can do with the recordings. This depends on many factors such as your industry, types of transactions which take place on the calls and the nature of the information that is recorded.

GDPR states six conditions under which call recording is deemed lawful:

1. The people involved in the call have given consent to be recorded
2. The recording is necessary for the fulfilment of a contract
3. The recording is necessary for fulfilling a legal requirement
4. The recording is necessary to protect the interests of one or more participants
5. The recording is in the public interest, or necessary for the exercise of official authority
6. The recording is in the legitimate interests of the recorder unless those interests are overridden by the interests of the participants in the call

Some of these conditions will apply specifically to certain uses of call recording in particular sectors.

Condition three applies to those in the finance industry who are required by the FCA to record all calls leading up to transactions. Non-compliance with the new GDPR regulations can result in heavy fines and so businesses need to be clear about their intentions and practices.

How do you prepare?

Companies must be ready to adapt to the change in regulations and review their data storage to ensure their customers are protected.

Processes and policies must be set in place by May 2018. A thorough audit of call recording practices will give more direction on the steps to take.

Do you notify customers the call will be recorded?

Is permission requested?

How is data stored?

Are your call recordings deemed lawful under the six GDPR conditions?

From here you will be able to identify any data breaches and carry out training to all departments within the business.

GDPR, however does present opportunities. By cleaning up business practices and data, processes become more streamlined and efficient.

Call recording comes as standard with our cloud-based phone system KloudPBX. If you are interested and would like a demonstration then contact us today.